Home Router Botnet Shut Down in Past 72 Hours. Who did it?

On April 11th, 3 weeks ago, we published a story discussing routers at a specific set of ISPs that have been hacked. These routers have been used to launch attacks on WordPress websites. The ISPs with compromised routers included Telecom Algeria, BSNL in India, PLDT in the Philippines and many more large ISPs around the world.

When we discovered this botnet over 3 weeks ago, we started monitoring attacks originating from those IPs. This allowed us to add the attacking IPs to the Wordfence Premium real-time blacklist to protect our customers.

Yesterday morning we noticed that there was a rapid drop-off in attacks from the ISPs we identified 3 weeks ago, that had targeted WordPress websites.

This is what the change in activity looked like from the top 50 ISPs from where these attacks were originating during a 72 hour period ending yesterday (Monday) evening. Click the chart for a larger version.

The chart above shows attacks per hour by ISP. This is the most recent 72 hour period, ending yesterday evening at approximately 5pm Pacific time. Each line is an Internet Service Provider from which these attacks were originating.

As you can see, starting at around midnight on Sunday night (April 30th) Pacific time, the number of attacks we are seeing from ISPs where we found vulnerable routers have dropped from peaks of 40,000 in some cases to peaks of just above 5,000 attacks per hour. In many cases the attacks drop to much lower levels and continue to decrease.

Why did the attacks stop?

The data indicates that this is a botnet that was acting in a coordinated fashion and attacking WordPress sites that we protect. In the past 72 hours, the attack frequency dropped simultaneously across hundreds of ISPs in many countries.

One possibility is that the individual or group controlling the botnet stopped attacking WordPress and that resulted in a rapid decrease in attack volume over a 24 hour period.

Another possibility is that the command and control servers of the botnet were taken offline by a coordinated effort involving security services in multiple countries.

It is worth noting that earlier this month, INTERPOL worked with investigators in Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to identify almost 9,000 command and control servers and just under 270 hacked websites. They produced reports for authorities in each country which allowed local enforcement to take action against the compromised systems.

This kind of coordinated action by INTERPOL is encouraging. It helps protect the global online community and creates a safer internet.

This is great news!

This reduction in attacks originating from hundreds of ISPs around the world is great news. Attacks on WordPress sites around the world have been reduced.

The attacks originating from these ISPs were also resulting in their IP addresses being blacklisted by Wordfence and other services like SpamHaus. That resulted in the customers of those ISPs suffering because certain websites and services would block them. By reducing these attacks, this ensures those ISP customers have full internet access again.

We will continue to monitor the situation

It is unclear whether this reduction in attacks is a permanent change or just a temporary respite. We will continue to monitor the situation and if attacks increase again, the Wordfence algorithms will react very rapidly and will add offending IPs to the Wordfence Premium blacklist in a matter of minutes to protect our WordPress site owners.

As new data emerges, we will publish it here. As always, I encourage you to share your thoughts in the comments below and I will be around to reply if needed. If you haven’t already, please consider joining our mailing list.